i just wanted to download the latest drivers for my gfx card. As the sucuri site was open by that time in my browser i just scanned nvidia.com awaiting that everything is okay. But sucuri showed me a warning about nvidia.com instead (http://sitecheck.sucuri.net/results/www.nvidia.com).
As Im no expert i have no idea if this is a false positive. nvidia and sucuri dont respond to me, but maybe someone here can help me to find out if there was/is a real thread. I was on nvidia.com and im therefore a bit worried.
From a site like this one we would expect otherwise, but the overall security situation is worse than I ever thought. :-[
Here we see errors and insecurities exposed: https://asafaweb.com/Scan?Url=www.nvidia.com%2Fpage%2Fhome.html
Custom Errors Fail can expose internal configuration details to attackers.
Excessive headers info also:
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Http Only Cookie * vuln - and Clickjacking vuln warnings - misspelled domain name for malicious purposes.
Well Sucuri isn’t the only scanner that detects.
Web Security Test detects this from Javascript Check
Suspicious
.location = “htxp://www.nvidia.ru/page/home.html”; } if (existingcookie==“de”) { window.location = “htxp://www.nvidia.de/page/home.html”; } if (existingcookie==“es”) { window.l…
and naturally we see traces of a hack as we check the 404 error check: Suspicious
Re: http://jsunpack.jeek.org/?report=7b3271d196e510baaef41cd789101053d0df56ee
Suspicious 404 Page:
document.write(unescape(‘%3c’)+‘!-’+‘-’) //–>
I had seen the redirect. I thought that was a little bit weird. Thanks for the confirmation. I’ll go tell Lorie to add it to the block list @ my school for a little while. You’d think they keep the site not exposed like that. Such a big name being “Hacked” is not good.
Thank you very much for your answers. Can you explain where the actual vulnerability is. All i see is a redirect to the russian nvidia site if a certain cookie exists. Was there a hack on the russian site and this redirect alarms sucuri therefore. Sorry for my curiosity
Hi, Sucuri thought wXw.nvidia.com redirect to wXw.nvidia.ru was suspicious. May I ask why you don’t use Geforce Experienc to update?It’s a little simplier lol.
See how it is being detected now: http://maldb.com/www.nvidia.com/#
AvastHTML:Iframe-inf
VIPREHeur.HTML.MalIFrame (v)
NormanIframer.AU
SophosMal/Iframe-V
GDataHTML:Iframe-inf
ESET-NOD32HTML/Iframe.B.Gen
I rescaned nvidia.com over the day several times, always the same.
What im wondering about is, wouldnt there be a bigger outcry if nvidia would realy deliver malware? Thats why im under the impression that this is just some kind of sloppiness by nvidia and not really malware. In addition, sucuri states that nvidia.com is malicious because of a blacklisted site which comes after a redirect (the russian site):
Thank you polonus, but do you have any explanation why nvidia is not reacting if this is in fact a real threat? I mean this is going on for days now.
I saw in another thread that avast contacts or is contacted by affected site admins. If avast detects a malicious iframe there, why hasnt this problem been solved now. To be clear i havnt visited nvidia.com myself but according to polonus maldb link, avast detects a threat on nvidia.com.
nvidia is currently infected with a hidden iFrame. However, they may not know yet. Pol indicated that it looked like they were cleaning it up. When it’s finished, Avast! may automatically stop decteing it. If it doens’t. Then it’s up to them to contact Avast! directly.